Semanage is a tool used to configure certain elements of SELinux policy without modifying or recompiling policy sources. This includes mapping Linux usernames to SELinux user identities and security context mappings for objects like network ports, interfaces, and hosts.
By default, SELinux only allows known services to bind to known ports. If we want to modify a service to use a non-default port we will need to modify the port type with the semanage command.
In this article, we will explore the semanage command and learn how to list, create/add and delete port types on RPM-based distributions like CentOS and RedHat.
Listing Ports with Semanage
The basic command for listing all ports is
# semanage port -l
SELinux Port Type Proto Port Number
afs3_callback_port_t tcp 7001
afs3_callback_port_t udp 7001
afs_bos_port_t udp 7007
afs_fs_port_t tcp 2040
afs_fs_port_t udp 7000, 7005
afs_ka_port_t udp 7004
afs_pt_port_t tcp 7002
afs_pt_port_t udp 7002
...To list port numbers of a specific port like http, use this command:
# semanage port -l | grep -w http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000Similarly for mysqld
# semanage port -l | grep -w mysqld_port_tmysqld_port_t tcp 1186, 3306, 63132-63164To find port names with a specific port number in it, use this command:
# semanage port -l | grep 53apertus_ldp_port_t tcp 539
apertus_ldp_port_t udp 539
dns_port_t tcp 53
dns_port_t udp 53Creating or Adding Ports with Semanage
In this example, we will create a new port for http and assign it to tcp port 2222. The -a option is to add a new port, the -t option specifies the SELinux type, and the -p option is to specify the protocol to use (in this case tcp).
# semanage port -a -t http_port_t -p tcp 2222to view the newly created port, we use the command list command with the -C option to show only customizations.
# semanage port -lCSELinux Port Type Proto Port Number
http_port_t tcp 2222To assign a range of ports numbers to a specific port, use the command:
# semanage port -a -t http_port_t -p tcp 2223-2225Now, we can see the port range here.
# semanage port -lC
SELinux Port Type Proto Port Number
http_port_t tcp 2223-2225If you try to add another entry with the same values like you used before, you get the error:
ValueError: Port tcp/2222 already definedTo override an existing port that was already created, use the -m option to modify:
# semanage port -m -t unreserved_port_t -p tcp 2222Now if we list all ports we will see the change.
# semanage port -lC
SELinux Port Type Proto Port Number
unreserved_port_t tcp 2222Deleting Ports with Semanage
We use the option -d to delete a port record. To delete unreserved_port_t on tcp port 2222, we use the command:
# semanage port -d -t unreserved_port_t -p tcp 2222To delete a range of ports, use the command:
# semanage port -d -t http_port_t -p tcp 2223-2225If you run the customized list command and it returns nothing, then the entry has been removed.
Using Semanage-Permmissive
Semanage permissive is used to add or remove SELinux Policy permissive modules.
To list all permissive modules, use the -l option:
# semanage permissive -l
Customized Permissive Types
Builtin Permissive Types
sanlk_resetd_t
hsqldb_t
systemd_hwdb_t
blkmapd_t
ipmievd_t
targetd_tTo create httpd_t a permissive domain, use the -a option:
# semanage permissive -a httpd_tNow, let's check all permissive modules:
# semanage permissive -l
Customized Permissive Types
httpd_t
Builtin Permissive Types
sanlk_resetd_t
hsqldb_t
systemd_hwdb_t
blkmapd_t
ipmievd_tTo delete a permissive type we just created, we use the -d option.
# semanage permissive -d httpd_t
libsemanage.semanage_direct_remove_key: Removing last permissive_httpd_t module (no other permissive_httpd_t module exists at another priority).In this article, we saw how to list, add and delete ports using the semanage tool for RPM-based Linux distributions. If your system has a GUI, you can install the policycoreutils-gui package via yum and then run system-config-selinux command to open the GUI version and configure SELinux port types from the Network Port menu.
